Security researchers at Trend Micro used Tor honeypots to conduct a six-months study of the attack landscape of the Dark Web,

Security experts at Trend Micro have conducted a six-months study of the attack landscape of the Dark Web, researchers operated a honeypot setup simulating several underground services on the Dark Web in order to analyze the way they were targeted.

The research aims to analyze how crooks target platforms run by other criminal organizations or individuals.

The honeypots used by the experts consisted of:

A black market that only trades between a close circle of invited members.

A blog offering customized services and solutions for the Dark Web.

An underground forum that only allows registered members to log in. In addition, vouching is needed to become a member.

The services running on the honeypots were deliberately affected by a number of vulnerabilities to allow attackers to hack them. The researchers automatically recorded all logs after every successful attack and restored the environment to a clean state each day.

“To this end, we simulated a cybercriminal installation in Tor using several honeypots. Each honeypot exposes one or more vulnerabilities that would allow an attacker to take ownership of the installation. Upon infection we automatically recorded all logs and restored the environment to a clean state.” reads the analysis published by Trend Micro.

The following chart shows the average number of daily attack attempts, as measured by the number of POST requests, in just one month, the number of attacks spiked to 160 per day, most of them successful.

The first discovery made by the researchers is that many attacks were originated from Tor proxies like Tor2web that allows reaching hidden services from the clear web.

“Tor proxies like Tor2web made Tor hidden services reachable without requiring any additional configuration from the public internet. Our honeypot was automatically made available to traditional search engines, and implicitly dangled as a target for automated exploitation scripts,” states the report.

The analysis of the attacks revealed that most of them installed web shells on the server to gain control over it, in the majority of the cases attackers used the machine to power DDoS attacks and to run spam campaigns.

In order to analyze only attacks from within the Dark Web, researchers filtering the traffic from Tor proxies, then observed the number of attacks drastically decreased.

A second point emerged from the analysis is that while the attacks from Tor proxies were performed with automated tools, attacks from within the Dark Web were most manually conducted.

“Attackers from the open internet tended to use automated attack tools, while Dark Web attackers tended to carry out manual attacks as they were generally more cautious and took their time. For example, once they gained access to a system via a web shell, they would gather information about the server first by listing directories, checking the contents of databases, and retrieving configuration/system files.” continues the report.

“These manual attackers often deleted any files they placed into our honeypot; some even went ahead and left messages for us (including ‘Welcome to the honeypot!’), indicating that they had identified our honeypot.”

The results of the study confirm that organizations operating in the Dark Web seem to be attacking each other. Hackers from within the Dark Web carried out the following attacks:

Defacements aimed at subverting the business of our honeypot and aimed at promoting a competitor web site, possibly run by the attackers.

Attempts to hijack and spy on the communications originating to and from our honeypot